Vulnerability in 100 million IP cameras from Hikvision and OEMs

Sicherheit (Pexels, allgemeine Nutzung)[German]A command injection vulnerability exists in the web server of some Hikvision products due to insufficient input validation. Unauthorized persons could send messages with malicious commands to the web server via this vulnerability. The manufacturer has provided a firmware update to close this vulnerability. OEMs such as ABUS and TRENDnet are also affected.


Hikvision has been founded in 2001, and is a Chinese provider of video surveillance products and solutions that had 42,685 employees in 2021. Its turnover is now several billion euros and its security cameras are also widely used in Germany. In addition, Hikvsion cameras are sold by many OEMs.

In 2019, it became known that the company had advertised a security camera as being able to detect ethnic minorities, such as Uyghurs. After critical inquiries regarding Chinese human rights violations against Uyghurs, the company deleted the product page.

Hikvision Sicherheitslücke

On Twitter DG3FBL informed me about the current vulnerability CVE-2021-36260 in the Hikvision firmware via the above tweet. The vulnerability is likely to affect 100 million cameras from Hikvision and about 90 OEMs. The vulnerability is rated CVSS 9.8, so it is critical and people who use the products to monitor objects should act promptly.  

In its security advisory HSRC-202109-01, dated September 19, 2021, Hikvision only states that a command injection vulnerability exists in the web server of some Hikvision products. Due to insufficient input validation, attackers can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.


The vulnerability was first discovered and reported in June 2021 by security specialists from Watchful IP. All camera models listed in security advisory HSRC-202109-01, dated September 19, 2021, that are accessible from the Internet via port forwarding have this vulnerability in the older firmware versions. Attackers could then gain full control over these cameras.

Watchful IP states that even firmware from 2016 was tested and found to be vulnerable. Only access to the http(s) server port (usually 80/443) is required. No username or password is required, nor does the camera owner need to perform any actions. The attack cannot be detected by logging on the camera itself. A list of affected camera models and firmware versions can be found within the Watchful IP article, and the patched versions of the firmware are listed in security advisory HSRC-202109-01. Another report on the topic is available here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *